In a previous post I introduced The Employees — virtual employees that cost a fraction of what a human assistant charges, with real agency and specialization for the digital economy of the 21st century. You can find them at shop.the-employees.com.
Today I want to share a real case study.
Meet Amel.ia
Amel.ia is one of our AI agents at The Employees. Her job is managing the website of a political party I'm involved with — a project I wrote about in another post about how a political party operates in the age of agents.
The person driving the website redesign has zero technical background. No coding experience. No web development knowledge. Nothing.
And yet they are leading the development of version 2.0 of the landing page — one of the highest-impact tasks in the entire project.
They prompt the agent. They point out what needs to change. They listen to feedback in the coordination group. They iterate. And when something is ready, the agent deploys it to a safe staging environment.
No SSH. No Git commands. No "deploy pipelines" to understand. Just natural language instructions and a workflow that feels like managing a team member.
The old way
How would this have been done before AI agents?
- WordPress — install, configure, maintain
- A developer or manager — someone who understands the stack
- Elementor or similar — with its license cost
- Security anxiety — that constant fear of missing an update, a plugin vulnerability, or a misconfiguration that turns your site into a sieve
The result is a website that "works" but requires continuous maintenance, costs money in licenses and developer time, and carries a security surface area that keeps growing with every plugin you add.
The new way
Today, that same landing page is:
- HTML + CSS — clean, minimal, no framework dependency
- Deployed on Cloudflare Pages
- Zero supply-chain risk — no plugins, no third-party themes, no WordPress core updates to miss
- Managed by a non-technical person through an AI agent
The attack surface went from "WordPress + 15 plugins + Elementor + theme" to "static HTML files on a CDN." For this use case, that's the right architecture.
Why zero dependencies matters more than ever
Software supply-chain attacks are the biggest threat facing open source right now, and they're getting worse.
In 2025, detections of malicious packages hidden inside open-source libraries jumped 73% year over year according to ReversingLabs. Sonatype identified over 454,600 new malicious packages in 2025 alone, bringing the cumulative total to over 1.2 million known malicious packages across npm, PyPI, Maven Central, NuGet, and Hugging Face.
These aren't theoretical risks. Here's what happened in just the first few months of 2026:
Axios, one of the most installed npm packages in the JavaScript ecosystem, was compromised through a maintainer account takeover. Malicious versions 1.14.1 and 0.30.4 installed a cross-platform remote access trojan that contacted command-and-control servers and self-deleted to evade detection. Attributed to North Korean APT Lazarus Group.
LiteLLM, a popular AI infrastructure library with 3.4 million daily downloads on PyPI, was poisoned by a threat group called TeamPCP to harvest AWS, GCP, and Azure tokens, SSH keys, and Kubernetes credentials.
36 malicious npm packages disguised as Strapi CMS plugins were discovered deploying reverse shells, harvesting credentials, and dropping persistent implants — all through a simple npm install.
Shai-Hulud, the first-ever self-replicating npm malware, compromised over 500 packages autonomously, spreading like a network worm through developer environments and exposing an estimated 25,000 GitHub repositories.
Every time a developer types npm install or pip install, they're placing a bet that the package they're pulling in isn't malicious. And in 2025, those odds got significantly worse.
The XZ Utils backdoor of 2024 — where an attacker spent two years patiently building trust before inserting a backdoor into a compression library used by virtually every Linux distribution — proved that even the most scrutinized open-source projects are vulnerable. Group-IB's February 2026 report concluded that supply-chain attacks have become "the dominant force reshaping the global cyber threat landscape".
Not having dependencies is the fix
This isn't viable for every use case. A complex web application with dynamic content, user accounts, and e-commerce needs a framework, a database, and dependencies. No way around that.
But for a political party landing page? A brochure site? A portfolio? An event page?
HTML + CSS on Cloudflare Pages eliminates the supply-chain vector entirely. No package.json to poison. No plugin to compromise. No maintainer account to steal. No npm install to execute.
The site can't be compromised through a dependency because there are no dependencies.
The barrier is dropping
The person building this website never wrote a line of HTML in their life. And yet they're deploying changes to production infrastructure.
Political parties, small businesses, community organizations — they all need a web presence. They can't afford a developer on retainer. The DIY tools either limit what you can do or expose you to security risks. And now, with supply-chain attacks at an all-time high, the "just use WordPress" advice is worse than ever.
An AI agent changes the equation. Cost drops to a fraction of a developer's hourly rate. The person who knows the organization best can make changes directly. Static sites on CDNs with zero dependencies are inherently more secure. And the time from idea to deployment goes from days to minutes.
Not everything has been perfect
I'd be dishonest if I painted this as a seamless experience. Here's what went wrong:
- We got burned by token abuse. During an intensive session, the agent hit usage limits and we were locked out. Had to wait for quota reset.
- Rate limits are real. When you're iterating quickly on a design, hitting API rate limits kills momentum. You learn to pace yourself.
- There's an adoption cost. The person using the agent had to learn how to communicate with it — what instructions work, what level of detail is needed, when to iterate vs. start over. It's not zero friction.
But both the agent operator and the end user agree: the result is positive. The website is live, it's secure, it's fast, and someone with no technical skills is maintaining it. That would have been impossible six months ago.
Next week I'll share more details about the project and the person behind it. Stay tuned.
If you're curious about what an AI employee can do for your organization, visit shop.the-employees.com.